Organizations worldwide rely on Salesforce to power their critical business operations, managing everything from customer relationships to vital sales data. This reliance makes Salesforce instances prime targets for sophisticated cybercriminal groups. Reports confirm that two such groups, UNC6040 and UNC6395, are actively exploiting vulnerabilities within these environments, leading to significant data breaches and extortion attempts. The Federal Bureau of Investigation (FBI) has issued a flash alert, providing crucial Indicators of Compromise (IOCs) and defensive strategies to help organizations secure their Salesforce platforms against these persistent threats.

FBI Warning: Cyber Attacks Targeting Salesforce for Data Exfiltration

On September 12, 2025, the FBI published a critical advisory detailing the activities of UNC6040 and UNC6395. These cybercriminal groups specialize in compromising Salesforce instances not for financial fraud directly, but for data exfiltration with the ultimate goal of extortion. This approach focuses on stealing sensitive organizational data and then leveraging its confidentiality to pressure victims into paying ransoms. This is a significant shift from traditional ransomware attacks that encrypt data; instead, it targets the integrity and privacy of critical business information.

Understanding UNC6040 and UNC6395 Threat Actors

The FBI’s alert specifically identifies UNC6040 and UNC6395 as the primary perpetrators. While the exact methods of initial access for these groups are not fully detailed in the summary, their modus operandi centers on gaining unauthorized access to Salesforce environments. Once inside, their objective is clear: systematically extract as much valuable data as possible. This data, which can include customer information, proprietary business intelligence, financial records, and other sensitive details, then becomes the leverage for their extortion demands. The operational sophistication of these groups suggests a well-planned and executed strategy aimed at high-value targets.

Malicious Activity and Data Exfiltration Techniques

The core of these attacks involves the unauthorized exfiltration of data from compromised Salesforce instances. Cybercriminals exploit various weaknesses, which could range from misconfigurations, weak authentication protocols, social engineering tactics, or potentially undisclosed vulnerabilities. Once access is established, the attackers systematically identify and download sensitive datasets. The motivations are purely financial, hinging on the victim’s willingness to pay to prevent the public disclosure or sale of their stolen data. This type of attack is particularly damaging as it directly impacts an organization’s reputation, regulatory compliance, and customer trust.

Remediation Actions and Protective Measures

Protecting Salesforce environments requires a multi-layered security approach. Organizations must prioritize immediate action to mitigate the risks posed by UNC6040 and UNC6395. The FBI’s advisory emphasizes proactive and reactive measures.

• Implement Strong Authentication: Mandate multi-factor authentication (MFA) for all Salesforce users, especially administrators. Regularly review and enforce strong password policies.
• Regular Security Audits: Conduct frequent audits of Salesforce configurations, user permissions, and access logs. Identify and remediate any misconfigurations or excessive privileges.
• Monitor for Suspicious Activity: Deploy robust logging and monitoring solutions tailored for Salesforce. Pay close attention to unusual login patterns, large data exports, or changes to critical settings.
• Enforce Principle of Least Privilege: Ensure users and integrations only have the minimum necessary access to perform their functions. Regularly review and revoke unnecessary permissions.
• Educate Users: Train employees on social engineering tactics, phishing scams, and safe browsing habits to prevent initial compromise.
• Keep Salesforce Updated: Ensure all Salesforce instances and connected applications are running the latest security patches and updates.
• Data Encryption: Encrypt sensitive data at rest and in transit within Salesforce to add an extra layer of protection against unauthorized access.
• Incident Response Plan: Develop and regularly test a comprehensive incident response plan specifically for Salesforce breaches, focusing on detection, containment, eradication, and recovery.

Indicators of Compromise (IOCs) for Detection

While specific IOCs were not directly provided in the brief summary, the FBI’s alert would typically include details such as:

• Suspicious IP Addresses: IP addresses associated with command-and-control servers or data exfiltration points.
• Unusual User Accounts: Newly created or dormant accounts exhibiting sudden activity.
• Anomalous Login Locations: Logins from unexpected geographical locations or anonymizing services.
• Large Data Export Activities: Querying or exporting large volumes of data, especially by non-administrative users or during off-hours.
• Specific API Calls: Unusual or unauthorized API calls indicative of data manipulation or extraction.
• Malicious File Hashes: If any malware is utilized in the attack chain to facilitate access or exfiltration within the Salesforce environment.

Organizations should integrate these IOCs into their security information and event management (SIEM) systems and intrusion detection systems (IDS) for proactive threat hunting and alert generation. Continuously updated threat intelligence feeds are also crucial for staying ahead of new indicators.

Conclusion

The FBI’s alert regarding UNC6040 and UNC6395 underscores the persistent and evolving threat landscape facing cloud platforms like Salesforce. Data exfiltration for extortion is a serious concern, directly impacting an organization’s most valuable asset: its data. By implementing the recommended remediation actions, closely monitoring for IOCs, and fostering a strong security posture, organizations can significantly reduce their risk of falling victim to these sophisticated cybercriminal groups. Proactive defense and immediate response are paramount in securing critical business applications.